rfc 5155

Ben Laurie celebrates the publication of
RFC 5155. I
hadn’t gotten around to blogging about it, but I’m also pretty happy
that this RFC finally made it
out. Ben says:

It turns out that in general, to prove the nonexistence of a name
using NSEC you have to show at most two records, one to prove the
name itself doesn’t exist, and the other to show that you didn’t
delegate some parent of it. Often the same record can do both. In
NSEC3, it turns out, you have to show at most three records. And if
you can understand why, then you understand DNS better than almost
anyone else on the planet.

One of the fascinating things about working on NSEC3 was that it
forced us to really understand how existence in DNS
works. Basically, we had to develop the general form of the theory
when we already had a special case (in NSEC). So, after we figured out
how NSEC3 had to work, we actually knew more about how NSEC
worked. For me and our co-editor Roy, this RFC culminates the 2nd
round of working on the some of the problems that NSEC3 solves. The
first effort was “DNSSEC Opt-In”, now published as an experimental
RFC, RFC 4956. (That effort
was also tied up in DNS minutiae and political wrangling and
ultimately failed to make the IETF standards track). For us, it feels
more like the culmination of 7 years of work.